NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

PHP-Fusion messages.php SQL Injection Vulnerability

Overview

NTA Monitor discovered a SQL Injection vulnerability in the PHP-Fusion Content Management System (CMS) on 25 July 2005.

PHP-Fusion is a popular, lightweight Content Management System (CMS) written in PHP. It provides the most common characteristics you would expect to see in any other Content Management System. PHP-Fusion is easily extendable via plugins (fusions) which makes it a flexible and versatile Web Application.

The vulnerability was disovered by Petko Petkov while performing vulnerability assesment on PHP-Fusion version 6.00.106 and 6.00.107. Other versions might be affected too.

Vulnerability Details

PHP-Fusion root directory contains a number of files that define the basic Web Application behaviour. The Private Message System is handled by messages.php. By default, only authenticated users are allowed to use this file although it is possible to access certain parts from the Private Message System logic without being authenticated.

This file improperly sanitise some POST requests, as well. The incorrect handling of POST data can be used to manipulate some SQL queries. The code between line 111 and 129 is responsible for updating users' Private Message System Preferences:

if(isset($saveoptions)) {
	if ($_POST['update_type']=='new') {
		dbquery("INSERT INTO ".$db_prefix."messages_options ( user_id, pm_email_notify, pm_save_sent )
			VALUES ( 
			'".$userdata['user_id']."',
			'".$_POST['pm_email_notify']."',
			'".$_POST['pm_save_sent']."')"
										);

	} else {
		dbquery("UPDATE ".$db_prefix."messages_options SET 
			pm_email_notify='".$_POST['pm_email_notify']."',
			pm_save_sent='".$_POST['pm_save_sent']."'
			WHERE user_id='".$userdata['user_id']."'"
		);
	}

	$message = $locale['624'];
	}

POST fields pm_email_notify and pm_save_sent are not properly sanitised. Attackers can use the following HTTP requests to inject SQL statements into the first or the second dbquery function respectively:

POST /phpfusion/messages.php?saveoptions= HTTP/1.0
	Content-Length: 35

	update_type=new&pm_email_notify=%27
POST /phpfusion/messages.php?saveoptions= HTTP/1.0 
	Content-Length: 19 

	pm_email_notify=%27

Impact

In certain circumstances this vulnerability can be considered as a Medium, even Low risk. Unfortunately, most vulnerable PHP-Fusion instances allow attackers to execute any valid SQL statement on the database server.

Solution

All GET and POST fields needs to be properly sanitised before using them in SQL queries. You can temporarily prevent possible attacks by enabling the PHP Magic Quotes feature. For more information please read references provided below.

This advisory was first released on 25th July 2005.

References

http://www.cisco.com/warp/public/707/cisco-sn-20050624-vpn-grpname.shtml PHP Magic Quotes Manual Petko Petkov's PHP-Fusion messages.php Advisory